CVE-2023-49074
A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926
Tp-Link N300 Wireless Access Point (EAP115) v5.0.4 Build 20220216
AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) - https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225/
7.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE-749 - Exposed Dangerous Method or Function
The EAP225(US) AC1350 Access Point is a wireless access point from TP-Link offering native integration with tp-link Omada Cloud SDN for centralized cloud management and zero-touch provisioning.
For approximately fifteen minutes following a device reboot, the TP-Link EAP115 and EAP225 Omada Gigabit access points expose the TP-Link Device Debug Protocol (TDDP) service on UDP/1040. The TDDP service exposes unauthenticated access to device functionality normally intended for troubleshooting activities. Implemented functionality appears to change depending on the device.
TDDP request messages consist of an 0x1C byte header followed by a data field only used by some commands, as shown below.
struct tddp_header {
uint8_t version, // protocol version (0x01 or 0x02)
uint8_t type, // TDDP_SPECIAL_CMD_OPT_Subtype (0x03) or TDDP_ENC_CMD_OPT_Subtype (0x07)
uint8_t code, // 0x01
uint8_t direction, // 0x00 for request
uint32_t pay_len, // number of bytes contained within the payload
uint16_t pkt_id, // 0x01
uint8_t sub_type, // TDDP_SPECIAL_CMD_OPT or TDDP_ENC_CMD_OPT depending on `type`
uint8_t reserved, // 0x00
uint8_t[0x10] digest, // MD5 digest of the message
}
The TP-Link EAP115 and EAP225 mainly use version 2 of the TDDP service, implementing two of the available request types: TDDP_SPECIAL_CMD_OPT and TDDP_ENC_CMD_OPT.
004086c0 int32_t tddp_versionTwoOpt(int32_t arg1, void* arg2, int32_t arg3)
...
00408868 else
00408868 memset(arg1, 0, 0x14000)
00408888 memcpy(arg1, arg2, 0x1c)
0040889c uint32_t $v0_11 = zx.d(*(arg1 + 1))
004088b4 if ($v0_11 == 3)
004088f4 printf("[TDDP_DEBUG]<debug>[%s:%d] Speci…", "tddp_versionTwoOpt", 0x407)
00408910 specialCmdOpt(arg2, arg1)
00408938 printf("[TDDP_DEBUG]<debug>[%s:%d] Speci…", "tddp_versionTwoOpt", 0x409)
004088c8 if ($v0_11 == 7)
0040895c puts("TDDP: enc_cmd. \r")
00408978 encCmdOpt(arg2, arg1)
00408994 puts("TDDP: enc_cmd over. \r")
...
00408a04 return var_c
When a TDDP_ENC_CMD_OPT request is chosen, one of the available sub-requests (0x49) triggers a factory reset of the device.
00408a0c int32_t encCmdOpt(void* arg1, int32_t arg2)
...
00408bc4 if ($v0_12 == 0x49)
00408bdc puts("TDDP: resetting. \r")
00408c0c uint32_t $v1_5 = zx.d(tddp_resetFactory(arg1 + 0x1c, arg2))
00408c4c *(arg2 + 4) = htonl((*(arg2 + 7) | (0xffff0000 & (*(arg2 + 4) << 0x10 | $v1_5))) + 0xc)
00408c64 $v0_2 = puts("TDDP: reset over. \r")
...
00408ee8 return $v0_2
00404110 int32_t tddp_resetFactory(int32_t arg1, int32_t arg2)
...
00404154 if (arg1 != 0 && arg2 != 0)
004041a0 if (arg2 == 0)
004041c4 $v0_2 = printf("[TDDP_ERROR]<error>[%s:%d] pTddp…", "tddp_resetFactory", 0x577)
004041fc else
00404214 if (wrpOpDo(0x240002, 0, 0, 0, 0, 0, 0x423640) != 0)
00404238 printf("[TDDP_ERROR]<error>[%s:%d] faile…", "tddp_resetFactory", 0x57e)
00404248 int32_t var_18_1 = 0xffffffff
...
004042a8 return $v0_2
When a request is properly constructed and sent to a TP-Link EAP115 or EAP225 with the TDDP service listening, the device resets its configuration to the factory default and begins acting abnormally until the next power cycle, when the default configuration takes full effect.
The vendor released new firmware at: https://www.tp-link.com/us/support/download/eap115/v4/#Firmware https://www.tp-link.com/us/support/download/eap225/v3/#Firmware
2023-12-11 - Vendor Disclosure
2024-04-03 - Vendor Patch Release
2024-04-09 - Public Release
Discovered by the Vulnerability Discovery and Research team of Cisco Talos.